Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...

[Amir Herzberg <herzbea () cs biu ac il>]

"David Wall @ Yozons, Inc." responded to me:
> > and most visible and sensitive web sites still ask users to enter
> > passwords into unprotected web forms - making it trivial for attackers
> > to emulate these pages and steal passwords. These include PayPal, chase,
> >  Microsoft's passport, Yahoo!, eBay, TD Waterhouse,...  (I've checked
> > most of them about a month ago and this was still the case; I've checked
> >  PayPal today...)
>
> Your tool may be nice, but Paypal does redirect to an SSL site if you type
> in paypal.com or www.paypal.com and if you click the "log in" link.  

PayPal redirects to SSL site once you hit the `log in` link, but it also 
asks users for userid and password directly at its (unprotected) 
homepage, http://www.paypal.com. The same holds for Chase, Yahoo! etc 
(see screen shots and links from the paper, 
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm).
Some of them (e.g. Chase) are especially misleading as they display a 
padlock next to the `login` button, which users may interpret as `this 
is protected`.  But of course these pages are not protected at all so 
they are trivial to spoof (and collect the passwords).

> Of course, this helps, but since most web users are not savvy and don't use
> your tool, such a "fix" rarely helps.  

Exactly my point. Conclusions:
1. Web users should be encouraged to use TrustBar (or browsers, or 
add-ins, providing equivalent functionality).
2. Browser developers should incorporate TrustBar (or equivalent 
mechanisms). This should be easy, esp. since our project is open-source 
(http://trustbar.mozdev.org) and as far as I know patent-free.
3. Web site designers should be more sensitive to this threat... It is 
amazing that such major sites have such obvious and trivial to fix 
vulnerabilities, and noticed I've informed them all; the only positive 
response I got was some discount vouchers from TD Waterhouse - but 
really I would have preferred, if they also acted on my trivial 
recommendation...

> After all, someone who is naive
> enough to follow such paypal links probably doesn't know anything about
> keeping themselves safe online, which is why they are targeted.
Here you are wrong; the problem is at the mail paypal site so many users 
- even not naive - may reach this site.

Best, Amir Herzberg
http://AmirHerzberg.com
Associate Professor, Computer science department, Bar Ilan University